RANDOM SEQUENCE GENERATING APPARATUS, 
ENCRYPTION/DECRYPTION APPARATUS, 
RANDOM SEQUENCE GENERATING METHOD, 
ENCRYPTION/DECRYPTION METHOD AND PROGRAM 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 
The present invention relates to a random sequence generating apparatus, an 
encryption/decryption apparatus, a random sequence generating method, an 
encryption/decryption method and a program. 

DESCRIPTION OF THE RELATED ART 
Various random sequence generating techniques have been proposed so far. 
Random numbers acquired by those techniques are used in, for example, simulation of 
various kinds of physical phenomena and chemical phenomena in the Monte Carlo analysis 
and a block encryption system for privacy communications. 

It is desirable in those random sequence generating techniques to satisfy various 
properties such that the distribution of values included in an acquired random sequence 
should be uniform, the frequency of occurrence of "0" and " 1 " of a predetermmed bit in a 
numerical expression of the values in a computer should have been as less lopsided as 
possible when one sees only this predetermined bit, and the period of a random sequence 
should be as long as possible. 

SUMMARY OF THE INVENTION 
Accordingly, it is an object of the invention to provide a random sequence 
generating apparatus and random sequence generating method, which generate a sequence 
of random numbers having a preferably property as a random sequence, an 
encryption/decryption apparatus and encryption/decryption method which uses the random 
sequence generating apparatus and method, and a program which achieves those 



apparatuses and methods using a computer. 

To achieve the object, according to the first aspect of the invention, there is 
provided a random sequence generating apparatus that generates a sequence of integers of 
w bits and comprises a seed receiving section, an initialization section, a transformation 
section, a rotation section, an updating section and an output section, which are designed as 
follows. 

The seed receiving section receives a sequence of.integers Si, S2, Sn, Sm of w 
bits as a seed for integers n and m (l<n<m-l). 

The initialization section provides the transformation section with the received 
sequence of integers Si, S2, s^, Sm as an integer sequence Xi, x 2 , x n , ...» Xm. 

The transformation section performs predetermined transformation on each of the 
provided integer sequence xi, x 2 , x n , Xm to acquire a sequence of integers yi, y 2 , ...» 

yn, ...,ym Of W bits. 

The rotation section acquires a number of rotation bits from the sequence of 
integers yn+i, .., ym, performs a rotation operation on the acquired number of rotation bits 
with respect to all of or a part of the sequence of integers y u y 2 , y a , y m taken as a bit 
sequence of wm bits, and acquires a sequence of integers z\ 9 z 2 , Zn, z™ of w bits from 
the acquired bit sequence of wm bits. 

The updating section provides the transformation section with the sequence of 
integers z\ 9 z 2 » z n , Zm as the integer sequence xi, x 2 , x m x m . 

The output section outputs a sequence of integers zu ^2, — , Zn or z*h, Zm 

obtained last as a random sequence n, r 2 , r n or n, r 2 r m ^ respectively in case where 

transformation in the transformation section and rotation in the rotation section are repeated 
a predetermined number of times. 

In the random sequence generating apparatus, the transformation section performs 
transformation by recursion formulae given below for an integer i (l<i<m-l) using 
mapping g(-, -) 



yi=g(Xn*Xi) 

In the random sequence generating apparatus, the transformation section can 
perform transformation by recursion formulae given below for an integer i (1 £i£rn-l) using 
mapping g(-, •) 

yi^gCXnbXl) 

yi-H = g(Xi, xri). 

Alternatively, in the random sequence generating apparatus, the transformation 
section can perform transformation by recursion formulae given below for an integer i 
(l^i^m-1) using a predetermined integer c and mapping g(-, •) 

y> = g(c,xi) 

y*i - g(yi> x i+ i). 

In the random sequence generating apparatus, the transformation section can also 
perform transformation by recursion formulae given below for an integer i (l^i^m-1) using 
mapping g(-, •) 

yi = g(c, xi) 

yi+i - g(xi, Xh-i). 

In any one of the random sequence generating apparatuses, the mapping g(-, •) can 

be defined as 

g(a, b) = 2b 2 + h(a)b + q(mod 2") 
from predetermined mapping h( ) and a predetermined integer q (0<q£2 w ~ l ). 

In the random sequence generating apparatus, the mapping h(-) is defined as 

h(a) - a. 

In the random sequence generating apparatus, the mapping h(-) can be defined by 
an operation of clearing a predetermined bit in a numerical expression of a given value. 

In the random sequence generating apparatus, the mapping h(0 can be defined by 
an operation of inverting a predetermined bit in a numerical expression of a given value. 



In the random sequence generating apparatus, the mapping h() can be defined by 
an operation of setting 01 to least significant two bits in anumerical expression of a given 
value. 

In any one of the random sequence generating apparatuses, taking the sequence of 
5 integers y rt , ... y m as a bit sequence of w(m-n) bits, the rotation section can acquire, as the 
number of rotation bits, an integer value equivalent to a bit sequence taken as an integer and 
obtained by arranging at least one bit at a predetermined position extracted from the bit 
sequence. 

In the random sequence generating apparatus, taking the sequence of integers 
10 y„ +1 , ~, ym as abit sequence of w(m-n) bits, the rotation section can determine a direction of 
rotation based on a value of a bit at a predetermined position in the bit sequence. 

In any one of the random sequence generating apparatuses, the rotation section can 
acquire a number of rotation bits from the sequence of integers y^i, .., y m , can perform a 
rotation operation on the acquired number of rotation bits with respect lo the sequence of 
1 5 integers y,, y 2 , y n , y* taken as a bit sequence of wn bits, can acquire a sequence of 
integers z u z 2 , ^ of w bits from the acquired bit sequence of wn bits, can perform a 
rotation operation on the acquired number of rotation bits with respect to the sequence of 
integers y n+1 , y m taken as a bit sequence of w(m-n) bits, and can acquire a sequence of 
integers 2W,, z™ of w bits from the acquired bit sequence of w(m-n) bits. That is, Zj is u, 
2 0 undergone a rotation operation by a predetermined number of rotation bits. 

According to the second aspect of the invention, there is provided an 
encryption/decryption apparatus comprising a rotation section, a message receiving section 
and an encryption/decryption section, which are designed as follows. 

The random sequence generating section generates a random sequence r,, r 2 , r„ 
25 by means of the aforementioned random sequence generating apparatus. 

The message receiving section receives a sequence of integers pi, p 2) - of w bits as 
a message. 
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The encryption/decryption section outputs a sequence of integers pi xor n, p 2 xor 

r 2 pi xor r^Dmod n) + 1 as a result of encryption or decryption. 

According to the third aspect of the invention, there is provided a random sequence 
generating method that generates a sequence of integers of w bits and comprises a seed 
5 receiving step, an initialization step, a transformation step, a rotation step, an updating step 
and an output step, which are designed as follows. 

The seed receiving step receives a sequence of integers Si, S2, s n > Sm of w bits 
as a seed for integers n and m (l<n£m-l). 

The initialization step provides ihe transformation step with the received sequence 
10 of integers su s 2 , s„, ^ as an integer sequence xi, x 2 , x n , x m . 

The transformation step performs predetermined transformation on each of the 
provided integer sequence xi, x 2 , x n , x m to acquire a sequence of integers y,, y 2 , 
y 0 y* of w bits. 

The rotation step acquires a number of rotation bits from the sequence of integers 
1 5 y n +i, ym» performs a rotation operation on the acquired number of rotation bits with 
respect to all of or a part of the sequence of integers yi, y 2 , ym taken as a bit 
sequence of wm bits, and acquires a sequence of integers z u z 2 , Zm of w bits from 
the acquired bit sequence of wm bits. 

The updating step provides the transformation step with the sequence of integers Zj, 
2 0 z 2 , Zn, Zm as the integer sequence Xi, x 2 , x^ x m . 

The output step outputs a sequence of integers Zi, z 2 , Zn or Zn+i, z„, obtained 

last as a random sequence r u r 2 , .... r n or r, r m . n respectively in case where transformation 

in the transformation step and rotation in the rotation step are repeated a predetermined 
number of times. 

25 in the random sequence generating method, the transformation step can perform 

transformation by recursion formulae given below for an integer i (l^i^m-1) using 
mapping g(-, •) 
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yi = g(x m , x'O 
y«+i = g(xi,x*i). 

Alternatively, in the random sequence generating method, the transfonnation step 
can perform transformation by recursion formulae given below for an integer i (1^-1) 
using a predetermined integer c and mapping g( , ) 

yi = g(c,xi) 

yH-i = g(yi» x ' + 0- 

In the random sequence generating method, the transformation step also can 
perform Wormation by recursion formulae givenbelow for an integer i (l<i<m-l) using 

mapping g(-, ) 

yi = g(c,xi) 
yi+i = g(Xi, xm). 

In any of the random sequence generating methods, the mapping g(-, •) can be 

defined as 

g(a, b) = 2b 2 + h(a)b + q(mod 2") 
from predetermined mapping hQ and a predetermined integer q (0<q<2 w - ! ). 

In the random sequence generating method, the mapping hQ can be defined as 

h(a) = a. 

In the random sequence generating method, the mapping hQ can be defined by an 
operation of clearing a predetermined bit in a numerical expression of a given value. 

In the random sequence generating method, the mapping hQ can be defined by an 
operation of inverting a predetermined bit in a numerical expression of a given value. 

In the random sequence generating method, the mapping hQ can be defined by an 
operation of setting 01 to least significant two bits in a numerical expression of a given 
value. 

In any one of the random sequence generating methods, taking the sequence of 
integers y^ ... y m as a bit sequence of w(m-n) bits, the rotation step can acquire, as the 
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number of rotation bits, an integer value equivalent to a bit sequence taken as an integer and 
obtained by arranging at least one bit at a predetermined position extracted from the bit 
sequence. 

In the random sequence generating melliod, taking the sequence of integers y^i, ., 
y ra as a bit sequence of w(m-n) bits, the rotation step can determine a direction of rotation 
based on a value of a bit at a predetermined position in the bit sequence. 

In any one of the random sequence generating methods, the rotation step can 
acquire a number of rotation bits from the sequence of integers y„ + ,, .,, y«, can perform a 
rotation operation on the acquired number of rotation bits with respect to the sequence of 
integers y,. y 2 , y„, .... y m taken as a bit sequence of wn bits, can acquire a sequence of 
integers z u z 2 , z« of w bits from the acquired bit sequence of wn bits, can perform a 
rotation operation on the acquired number of rotation bits with respect to the sequence of 
integers y n+1 , .... y ra taken as a bit sequence of w(m-n) bits, and can acquire a sequence of 
integers 2*1, .., Zm of w bits from Hie acquired bit sequence of w(m-n) bits. 

According to the fourth aspect of the invention, there is provided an 
encryption/decryption method comprising a random sequence generating step, a message 
receiving step and an encryption/decryption step, which are designed as follows. 

The random sequence generating step generates a random sequence n, r 2 , r„ by 
means of the aforementioned random sequence generating apparatus. 

The message receiving step receives a sequence of integers pi, p 2 , ... of w bits as a 

message. 

The encryption/decryption step outputs a sequence of integers pi xor n, pz xor r 2 , 
Pi xor T^i) mod n) + 1 as a result of encryption or decryption. 

According to the fifth aspect of the invention, there is provided a program which 
allows a computer to function as the aforementioned random sequence generating apparatus 
or encryption/decryption apparatus or to execute the aforementioned random sequence 
generating method or encryption/decryption method. 
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Those programs may be recorded in a computer readable information recording 
medium, such as a compact disk, a flexible disk, a hard disk, a magneto-optical disk, a 
digital video disk, a magnetic tape or a semiconductor memory. 

Each of the programs can be distributed and sold, independently of a computer on 
which the program is run, through a computer communication network. The computer 
readable information recording medium can be distributed and sold, independently of that 
computer. 

BRIEF DESCRIPTION OF THE DRAWINGS 
These objects and other objects and advantages of the present invention will 

become more apparent upon reading of the following detailed description and the 

accompanying drawings in which: 

Fig. 1 is an exemplary diagram illustrating the schematic structure of a random 

sequence generating apparatus according to one embodiment of the invention; 

Fig. 2 is a flowchart illustrating the flow of control of a random sequence 

generating routine to be executed by the random sequence generating apparatus of the 

embodiment; 

Fig. 3 is an explanatory diagram illustrating how to acquire the number of rotation 
bits in a rotation section in the random sequence generating apparatus of the embodiment; 

Fig. 4 is an explanatory diagram illustrating how to perform a rotation operation in 
the rotation section' in the random sequence generating apparatus of the embodiment; 

Fig. 5 is an exemplary diagram illustrating the typical schematic structure of a 
computer which realizes the random sequence generating apparatus according to the 
embodiment; and 

Fig. 6 is an exemplary diagram illustrating the schematic structures of an encryption 
apparatus and a decryption apparatus. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 
A preferred embodiment of the invention is described below with reference to the 



accompanying drawings. The embodiment described below is illustrative and does not 
restrict the scope of the invention. Therefore, those skilled in the art can employ 
embodiments in which those elements or are individually or entirely replaced with their 
equivalent elements, and which are also included in the scope of the invention 

5 (Embodiment) 

In one embodiment of the invention to be discussed below, to generate a sequence 
of "random numbers numerically expressed by w bits", mapping g(-, •) which is defined as 
g(a, b) = 2b 2 + h(a)b + q(mod 2 W ) using predetermined mapping h( ) and a predetermined 
integer q (0<q<2 w ' 1 ) is used as non-linear transformation on a finite field. 

10 The embodiment may employ the following operation which clears a 

predetermined bit in anumerical expression of a given value a by using a predetermined 

mask value MASK: 

h(a) = aandMASK. 

The embodiment may also employ the following operation which inverts a 
1 5 predetermined bit in the numerical expression of the given value a: 
h(a) = axorMASK- 

Further, the embodiment may employ the following operation which sets 01 to least 
significant two bits in the numerical expression of the given value a. 
h(a) = (aand(not3))or 1. 
20 In the above operations, the individual operators correspond to the numerical 

expressions (integer expressions) of the value a; specifically, "and" corresponds to a bit 
AND, "xor" corresponds to bit exclusive OR, "not" corresponds to bit inversion (bit NOT) 
and "or" bit OR. 

Therefore, those operations can be accomplished using just what is prepared for an 
2 5 ' integer operation for w bits and without a particular consideration on the carry-over and 
carry-under in a computer. 

It is desirable that the value of w should have a bit width of a machine word 

- 9 - 



. prepared in a CPU (Central Processing Unit) in the computer or a smaller width. 

RC6 which is said to be one of the fastest block encryption techniques at the present 
is achieved by using non-linear transformation on a finite field: 

f(x) = 2x 2 + x(mod2 w ) 
but a random sequence generated from a seed always differs from a random sequence 
generated from a different seed (one to one mapping) and the maximum period of the 
random sequence to be generated is 2 w0 . 

The mapping g(-, •) which is used in this embodiment is further generalization of 
the non-linear transformation on a finite field employed in the RC6 and is capable of 
generating a random sequence equivalent to a random sequence generated by the RC6 
when using g(-, •) with 
h(a)=l 

and 

q = 0. 

As mapping different from what is equivalent to the mapping of RC6 can be selected in the 
invention, multifarious variations of random numbers can be acquired. 

It is proved through experiments that favorable random sequences even when other 
operations and values are selected. 

Fig. 1 is an exemplary diagram iuustrating the schematic structure of a random 
sequence generating apparatus according to the embodiment Fig. 2 is a flowchart 
illustrating the flow of control of a random sequence generating routine to be executed by 
the random sequence generating apparatus of the embodiment. Referring to those diagrams, 
the embodiment is discussed in detail below. 

A random sequence generating apparatus 101 generates a sequence of integers of w 
bits and comprises a seed receiving section 102, an initialization section 103, a 
transformation section 104, a rotation section 105, an updating section 106 and an output 
section 107. 



•tie seed receiving section 102 in the random sequence generating apparatus 101 
w Wesasequenceofu«egeras,,s, s. ^ofwbitsasaseed<s,epS201)«hera 

l<n<m-l. 

While sequence of integers s., to .., s» stored in a memory, such as 

RAM (Random Access Memory), provided in the random sequence generating apparatus 
^caUy.itmaybesW^ 

and writable external recording medium, such as a hard disk. 

. Then,1heimtializ^ 
received sequence of integers s,, * s„, s m as an integer sequence x 2 , .... x n , 

(stepS202). 

RAM. Jn tins c«e, the process tb^ 

accomplished by transferring a value from the memory corresponding to .„ s 2 , s. .... s, 
to the memory corresponding to xi, x 2 > x n , Xm- 

Further, the transformation section 104 performs transformation, defined by the 
-linear transformation g(, •), on each of me provided integer sequence x t , x 2 , .... x n , 
. to acquire a sequence of integers y lf y 2 , *. ~, of wbits (step S203). 

As the transformation, transformations defined by the following recursion formulae 

are available. 

(1) Recursion formula given below for an integer i (l<i<m-l): 
yi = g(Xm» x l) 

yt+i - g( x i» x > + 0- 

(2) Recursion formulae given below. for an integer i (l<i<m-l) using a 
predetermined integer c and mapping g(-, •) 

yi = g(c,x0 
ym = g(yi» x >+i)- 

(3) Recursion formulae given below for an integer i (Wtol) using mapping g(, 
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non- 

Xm1 



yi = g(c, xO 
yi+i = g(Xi,Xi+i). 

Those computations can be accomplished by using an ALU (Arithmetic Logic 
Unit) provided in the CPU. The sequence of integers y ls y 2 , .... y«, y» is likewise stored 
in a memory or so. 

The rotation section 105 acquires the number of rotation bits from the sequence of 
integers y n+I , ... y m (step S204). The following are available schemes for acquiring the 

number of rotation bits. 

Taking ■ , Ym as a bit sequence, bits at predetermined bit positions are arranged 
in order and the resultant value is taken again as an integer value. Fig. 3 shows how to 
acquire an integer value from values at predetermined bit positions when w = 4 and m-n = 2. 
In the illustrated example, three bits are extracted from a random sequence of eight bits. 

There are eight integer values 0 to 7 (in case of sign-less integer values) obtained 
from three bits. In this case, the direction of rotation employed is a "predetermined 
direction (rightward or leftward)" and the integer value to be obtained is treated directly as 

the number, of rotation bits . 

in an alternative case where one bit represents a sign (associated with a positive or 
negative sign) and the amount of rotation is acquired from the remaining two bits, the value 
maybe rotated leftward in case of the positive sign or rightward in case of the negative sign 
by the number of bits of the absolute value. 

Then, the rotation section 105 performs a predetermined rotation operation on the 
acquired number of rotation bits with respect to all of or a part of the sequence of integers 
yn y 2> .., y* Ym taken as abit sequence of wm bits, and acquires a sequence of integers 

Zu Z2> ^ ^ ^ of w bits from the acquired bit sequence of wm bits (step S205). 

The following rotation operations can be used as the predetermined rotation 
operation. 
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(1) Abit sequence of wn bits is cyclically shifted by the obtained number of 
rotation bits. Fig. 4 shows the schematic structure in case where w - 4 and n = 4 and. yi, 
y 2j .... y 4 are arranged in big endian and are shifted leftward by one bit as the cyclic shifting. 
This is a rotation operation to rotate a part of a bit sequence of wm bits. 

(2) The entire bit sequence of wm bits is cyclically shifted by the obtained number 
of rotation bits. The entire bit sequence of wm bits should be cyclically shifted in a manner 
similar to the rotation of the bit sequence of wn bits in Fig. 4. 

(3) Cyclic shifting of abit sequence of wn bits in y b y„ by the obtained number 

of rotation bits or cyclic shifting of a bit sequence of w(m-n) bits in yj y n by the 

obtained number of rotation bits. 

Those schemes can be achieved by cyclically shifting all or a part of yi, y 2 , yn, »•> 
y m stored in the memory or so in a bit width unit natural to the CPU while considering the 
carry-over and carry-under. In this case, z u z 2 , .... z* to be obtained are stored as new 
values in the area of the memory where y u y 2 , y„, •■-> ym have been stored. 

Further, the output section 1 07 determines whether transformation in the 
transformation section 1 04 and rotation in the rotation section 1 05 have been repeated a 
predetermined number of times or not (step S206). 

The decision in step S206 can be made, for example, by setting a "value for the 
predetermined number of times" to a counter variable prepared in the memory before step 
S201, decrementing the value of the counter variable by 1 between step S204 and step S206 
and determining whether the value of the counter variable becomes 0 or not. 

When the transformation and rotation have been repeated a predetermined number 
of times (YES in step S206), z u z 2 , z. acquired last are output as a random sequence r,, 
r 2 , r n (step S207) after which random sequence generation is terminated. 

When the transformation and rotation have not been repeated a predetermined 
number of times (NO in step S206), those z u z 2 , z„ are given to the transformation 
section 104 as an integer sequence xi, x 2 , -, x n , x m (step S208) after which the flow 
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returns to step S203 and transformation (step S203) and rotation (steps S204 and S205) are 
repeated. 

This operation can be accomplished by transferring a value in the memory or so 
where z u z 2 , .... Zm are stored to the memory or so where \ u x 2 , .., x„, x„, are 
5 stored 

The random sequence generating apparatus 1 0 1 has an unillustrated memory 
section which can be constructed in such a way as to store Sj, s^ Sn, Sm, Xi, x 2 , .... x n , 
x», y,. y 2 , y» y m> z ls z 2 , .... z*, n, r 2 , .... r n and so forth in different areas or in the 
same area (e.g., y lf y 2 , y n , .... y«. *, z* -, z* •••» ^ etc.) through analysis of the 
10 dependency of usages of the values. The individual sections exchange computed values to 
one another using the common memoiy. 

Fig. 5 is an exemplary diagram illustrating the typical schematic structure of a 
computer which realizes the random sequence generating apparatus 101 according to the 
embodiment The structure is described by referring to Fig. 5. 
15 A computer 301 is controlled by a CPU 302. . When the computer 301 is powered 

on, the CPU 302 executes an PL (Initial Program Loader) prepared in a ROM (Read Only 
Memory) 303. 

The execution of the IPL loads an OS (Operating System) recorded in a flexible 
disk loaded into a flexible disk drive 304 or a hard disk 305 or so, making the computer 301 
20 ready for receiving various instructions input by a user. 

The user manipulates a keyboard 306 or a mouse 307 to input various instructions 

to the computer 301 . 

In accordance with the input, the OS causes the CPU 302 to execute a program 
recorded in the hard disk 305 or a CD-ROM (Compact Disk ROM) loaded into a CD-ROM 
2 5 drive 308 and process various kinds of data recorded therein, and displays the progress or 
result of the processing on a display 309. 

The CPU 302 uses a RAM 3 11 as a temporary memory area. The RAM 311 is 
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used to store various sequence of numbers to be used in computation as mentioned above. 

Further, the CPU 302 can save information the result of processing a generated 
random sequence and progress of the processing in the hard disk 305 during execution of 
the program. 

An operation in this embodiment can be reduced to simple bit operations as 
mentioned above. Therefore, the random sequence generating apparatus 1 01 can be 
constructed by combining exclusive electronic circuits (adder, subtracter, shifter, latch, etc.) 
or using an electronic component whose circuit structure can be changed variably, such as 
an ASIC (Application Specific Integrated Circuit), DSP (Digital Signal Processor) or FPGA 
(Field Programmable Gate Array). Those modes are included in the scope of the invention. 
(Results of Experiment) 

Random sequences were generated from the following data using the random 
sequence generating apparatus 101 according to the embodiment: 

w = 32 

n = 32 and 

g(a, b) - 2b 2 + h(a)b 

where mapping h(-) is defined by an operation which sets 01 to the least significant two bits 
in the numerical expression of the given value. 

Further, each of transformation and rotation was done once per round. That is, the 
"predetermined number of times" is one. 

A random sequence to be output is r i5 r 2 , r i0 24 consisting of a total of wn = 1024 

bits. 

20000 x 89999 types of seeds were given to this random sequence to output the 
random sequence n, r 2 , r ]0 24 20000 x 89999 rounds. 

Of FIPS 1 40- 1 and FIPS 140-2, standard tests of checking the randomness of a 
random sequence, the randomness checking test which would meet the standard security 
specification was applied to individual bit positions in the random sequence of 1024 bits to 



test the property of the random sequence generated by the embodiment 

fa those tests, abit sequence of 20000 bits were extracted from the individual bit 

positions 

Monobit test which checks whether the frequency of occurrence of the value of a 
bit at a predetermined position is lopsided or not 

Poker test which divides 20000 bits to 5000 patterns each of four bits and checks 
whether the frequency of occurrence of the 4-bit pattern is lopsided or not 

Runs test which checks whether the frequency of occurrence of a run of a 
predetermined length exacted from a random sequence is lopsided or not. 

Long runs test which is similar to the runs test but negates randomness when there 
are 34 or more runs in case of the FIPS 140-1 and negates randomness when there are 26 or 

more runs in case of the HPS 140-2. 

The results of the experiment showed that in the FIPS 140-1, the sequence of 20000 
bits in every one of the generated 1024 (bits) x 89999 samples passed the set standards. 

IntheFIPS 140-2, 99.92 percent ofthe sequences of20000 bits in the generated 

1024 (bits) x 89999 samples passed the set standards. 

The invention was applied toNIST 800-22, a random test severer than the 
aforemendonedrandomtests.tocheckmerandomnes, The results showed mat me use of 
the rotation scheme (3) could provide extremely favorable random numbers. 

As this algorithm was installed onto the FPGA of Vertex xcvlOOO (100,000,000 
system gates), a product of XILINX (trademark), Inc., a random sequence could be 
generated at a speed of 25.62 Gbits/sec due to the parallel processing ofthe algorithm. That 
is> the installation ofthe algorithm onto hardware, such as an FPGA can bring about a 
significant merit on improving the speed. 

m short, i, was proved that random sentences generated hy the embodiment had an 
^y favorable property, would he effective in the field of encryption for privacy 
communications and the field of simuladon of physical phenomena, ehemical phenomena 
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.or so and would be remarkably effective to output random sequences with a good 
randomness from hardware at a high speed. 

(Encryption/decryption Apparatus) 

Encryption and decryption can be accomplished by using the above-described 
random sequence generating apparatus. Fig. 6 is an exemplary diagram inustrating the 
schematic structures of an encryption apparatus and a decryption apparatus which perform 

such encryption and decryption. 

An encryption apparatus 601 and a decryption apparatus 651 use s„ s 2 , .... s„ s* 

asacommonkey. Then, a generating section 602 in the encryption apparatus 601 and-a 
generating section 652 in the decryption apparatus 651 have random sequence generating 
apparatuses 201 with the same structure (same computation scheme) and receive the 

common key *. s 2 , s„ s m as an input. Then, both generating sections 602 and 652 

generate the same random numbers n , .. ., r„. 

In the encryption apparatus 601, an XOR section 604 transforms an integer 
sequence p lt p 2 , ... of a trammission message, received by a message receiving section 603, 

to p, xor r u p. xor r 2 , .... p, xor t^-*** ' «* rand ° m numbers 311(1 OUtpUtS 
result as an integer sequence e„ e* e, ... of the encrypted message where "xor" means 
the aforementioned exclusive OR and "a mod n" means the remainder of division of a by n. 

A message receiving section 653 in the decryption apparatus 65 1 receives the 
integer sequence e,. e*. «. ... of the encrypted message and an XOR section 654 
transforms the integer sequence to d xor n, e, xor r 2 , q xor r (Cl ^ 1)m odn) + 1 and outputs 
the result as an integer sequence f,, f 2 , .-, fi. - of the encrypted message. 
As 

f; = ej XOr r((i+n-l) mod n) + 1 
= (pi XOr r((i+„-l) modn)+ l) 
XOr r((j+n-l)modn)+ 1 



the integer sequence of the encrypted transmission message is identical to the integer 
sequence of the original transmission message, which is the proof that enciyption and 

decryption can be done properly. 

The length of a message to be processed can be set to n or less. In this case, ((i+n- 
1) mod n) + 1 can be replaced with i. This can make the confidentiality higher than the 
repetitive use of the same random sequence. 

Because the encryption apparatus 601 and the decryption apparatus 65 1 have quite 
the same structure, one apparatus with the structure can be used as the encryption apparatus 
601 in one case and as the decryption apparatus 651 in some other case. 

As described above specifically, the invention can provide a random sequence 
generating apparatus and random sequence generating method, which generate a sequence 
of random numbers having a preferably property as a random sequence, an 
encryption/decryption apparatus and encryption/decryption method which uses the random 
sequence generating apparatus and method, and a program which achieves those 
apparatuses and methods using a computer. 

Various embodiments and changes may be made thereunto without departing from the 
broad spirit and scope of the invention. The above-described embodiment intended to 
illustrate the present invention, not to limit the scope of the present invention. The scope of 
the present invention is shown by the attached claims rather than the embodiment. Various 
modifications made within the meaning of an equivalent of the claims of the invention and 
within the claims are to be regarded to be in the scope of the present invention. 

This application is based on Japanese Patent Application No. 2003-75438 filed on 
March 19, 2003 and including specification, claims, drawings and summary. The 
disclosure of the above Japanese Patent Application is incorporated herein by reference in 
its entirety. 



